SaaS Contract Ambiguity Raises Security Concerns: Gartner

By Nathan Eddy |
Posted 2013-08-05

Software-as-a-service (SaaS) contracts often have ambiguous terms regarding the maintenance of data confidentiality, data integrity and recovery after a data loss incident, which leads to dissatisfaction among cloud services users, according to a report from IT research firm Gartner.

Buyers of commercial cloud services, especially SaaS, are finding security provisions inadequate, and these ambiguous terms are also making it harder for service providers to manage risk and defend their risk position to auditors and regulators.

The report cautioned that, at a minimum, cloud services users should ensure that SaaS contracts allow for an annual security audit and certification by a third party, with an option to terminate the agreement in the event of a security breach if the provider fails on any material measure.

"We continue to see frustration among cloud services users over the form and degree of transparency they are able to obtain from prospective and current service providers," Alexa Bona, vice president and distinguished analyst at Gartner, said in a statement. "As more buyers demand it, and as the standards mature, it will become increasingly common practice to perform assessments in a variety of ways, including reviewing responses to a questionnaire, reviewing third-party audit statements, conducting an on-site audit and/or monitoring the cloud services provider."

Gartner predicted that, through 2015, 80 percent of IT procurement professionals will remain dissatisfied with SaaS contract language and protections that relate to security. The Cloud Security Alliance (CSA), a nonprofit organization aimed at bolstering cloud computing, has a Cloud Controls Matrix in the form of a spreadsheet containing control objectives deemed by participants in the CSA to be important for cloud computing, one of the ways service contracts could be improved.

"Whatever term is used to describe the specifics of the service-level agreement (SLA), IT procurement professionals expecting their data to be protected from attack, or to be restorable in case of an incident, must ensure their providers are contractually obligated to meet those expectations," Bona said. "We recommend they also include recovery time and recovery point objectives and data integrity measures in the SLAs, with meaningful penalties if these are missed."

In addition, the lack of meaningful financial compensation for losses of security, service or data also represents an undesirable form of risk exposure in SaaS contracts. The report said it will be crucial that some form of service, such as protection from unauthorized access by third parties, annual certification to a security standard and regular vulnerability testing, be committed to in writing. In addition, SaaS users should negotiate for 24 to 36 months of fee liability limits, rather than 12 months, and additional liability insurances, where possible.

"Concerns about the risk ramifications of cloud computing are increasingly motivating security, continuity, recovery, privacy and compliance managers to participate in the buying process led by IT procurement professionals," Bona said. "They should continue regularly to review their cloud contract protection to ensure that IT procurement professionals make sustainable deals that contain sufficient risk mitigation."